kris
/
xmss-KAT-generator
1
0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Vydání 0 Wiki Aktivita
Nelze vybrat více než 25 témat Téma musí začínat písmenem nebo číslem, může obsahovat pomlčky („-“) a může být dlouhé až 35 znaků.
75 Revize
1 Větev
488 KiB
 
 
Strom: 270e6cd753
Větve Značky
${ item.name }
Vytvořit větev ${ searchTerm }
z „270e6cd753“
${ noResults }
xmss-KAT-generator/xmss_commons.c

320 řádky
10 KiB
Surový Blame Historie 

  1. #include <stdlib.h>

  2. #include <string.h>

  3. #include <stdint.h>

  4. 

  5. #include "hash.h"

  6. #include "hash_address.h"

  7. #include "params.h"

  8. #include "wots.h"

  9. #include "xmss_commons.h"

  10. 

  11. /**

  12.  * Converts the value of 'in' to 'outlen' bytes in big-endian byte order.

  13.  */

  14. void ull_to_bytes(unsigned char *out, unsigned long long outlen,

  15.                   unsigned long long in)

  16. {

  17.     int i;

  18. 

  19.     /* Iterate over out in decreasing order, for big-endianness. */

  20.     for (i = outlen - 1; i >= 0; i--) {

  21.         out[i] = in & 0xff;

  22.         in = in >> 8;

  23.     }

  24. }

  25. 

  26. /**

  27.  * Computes the leaf at a given address. First generates the WOTS key pair,

  28.  * then computes leaf using l_tree. As this happens position independent, we

  29.  * only require that addr encodes the right ltree-address.

  30.  */

  31. void gen_leaf_wots(const xmss_params *params, unsigned char *leaf,

  32.                    const unsigned char *sk_seed, const unsigned char *pub_seed,

  33.                    uint32_t ltree_addr[8], uint32_t ots_addr[8])

  34. {

  35.     unsigned char seed[params->n];

  36.     unsigned char pk[params->wots_keysize];

  37. 

  38.     get_seed(params, seed, sk_seed, ots_addr);

  39.     wots_pkgen(params, pk, seed, pub_seed, ots_addr);

  40. 

  41.     l_tree(params, leaf, pk, pub_seed, ltree_addr);

  42. }

  43. 

  44. /**

  45.  * Used for pseudo-random key generation.

  46.  * Generates the seed for the WOTS key pair at address 'addr'.

  47.  *

  48.  * Takes n-byte sk_seed and returns n-byte seed using 32 byte address 'addr'.

  49.  */

  50. void get_seed(const xmss_params *params, unsigned char *seed,

  51.               const unsigned char *sk_seed, uint32_t addr[8])

  52. {

  53.     unsigned char bytes[32];

  54. 

  55.     /* Make sure that chain addr, hash addr, and key bit are zeroed. */

  56.     set_chain_addr(addr, 0);

  57.     set_hash_addr(addr, 0);

  58.     set_key_and_mask(addr, 0);

  59. 

  60.     /* Generate seed. */

  61.     addr_to_bytes(bytes, addr);

  62.     prf(params, seed, bytes, sk_seed, params->n);

  63. }

  64. 

  65. /**

  66.  * Computes a leaf node from a WOTS public key using an L-tree.

  67.  * Note that this destroys the used WOTS public key.

  68.  */

  69. void l_tree(const xmss_params *params,

  70.             unsigned char *leaf, unsigned char *wots_pk,

  71.             const unsigned char *pub_seed, uint32_t addr[8])

  72. {

  73.     unsigned int l = params->wots_len;

  74.     unsigned int parent_nodes;

  75.     uint32_t i;

  76.     uint32_t height = 0;

  77. 

  78.     set_tree_height(addr, height);

  79. 

  80.     while (l > 1) {

  81.         parent_nodes = l >> 1;

  82.         for (i = 0; i < parent_nodes; i++) {

  83.             set_tree_index(addr, i);

  84.             /* Hashes the nodes at (i*2)*params->n and (i*2)*params->n + 1 */

  85.             hash_h(params, wots_pk + i*params->n, wots_pk + (i*2)*params->n, pub_seed, addr);

  86.         }

  87.         /* If the row contained an odd number of nodes, the last node was not hashed.

  88.            Instead, we pull it up to the next layer. */

  89.         if (l & 1) {

  90.             memcpy(wots_pk + (l >> 1)*params->n, wots_pk + (l - 1)*params->n, params->n);

  91.             l = (l >> 1) + 1;

  92.         }

  93.         else {

  94.             l = l >> 1;

  95.         }

  96.         height++;

  97.         set_tree_height(addr, height);

  98.     }

  99.     memcpy(leaf, wots_pk, params->n);

  100. }

  101. 

  102. /**

  103.  * Computes a root node given a leaf and an auth path

  104.  */

  105. static void validate_authpath(const xmss_params *params, unsigned char *root,

  106.                               const unsigned char *leaf, unsigned long leafidx,

  107.                               const unsigned char *authpath,

  108.                               const unsigned char *pub_seed, uint32_t addr[8])

  109. {

  110.     uint32_t i, j;

  111.     unsigned char buffer[2*params->n];

  112. 

  113.     /* If leafidx is odd (last bit = 1), current path element is a right child

  114.        and authpath has to go left. Otherwise it is the other way around. */

  115.     if (leafidx & 1) {

  116.         for (j = 0; j < params->n; j++) {

  117.             buffer[params->n + j] = leaf[j];

  118.             buffer[j] = authpath[j];

  119.         }

  120.     }

  121.     else {

  122.         for (j = 0; j < params->n; j++) {

  123.             buffer[j] = leaf[j];

  124.             buffer[params->n + j] = authpath[j];

  125.         }

  126.     }

  127.     authpath += params->n;

  128. 

  129.     for (i = 0; i < params->tree_height-1; i++) {

  130.         set_tree_height(addr, i);

  131.         leafidx >>= 1;

  132.         set_tree_index(addr, leafidx);

  133.         /* Pick the right or left neighbor, depending on parity of the node. */

  134.         if (leafidx & 1) {

  135.             hash_h(params, buffer + params->n, buffer, pub_seed, addr);

  136.             for (j = 0; j < params->n; j++) {

  137.                 buffer[j] = authpath[j];

  138.             }

  139.         }

  140.         else {

  141.             hash_h(params, buffer, buffer, pub_seed, addr);

  142.             for (j = 0; j < params->n; j++) {

  143.                 buffer[j + params->n] = authpath[j];

  144.             }

  145.         }

  146.         authpath += params->n;

  147.     }

  148.     set_tree_height(addr, params->tree_height - 1);

  149.     leafidx >>= 1;

  150.     set_tree_index(addr, leafidx);

  151.     hash_h(params, root, buffer, pub_seed, addr);

  152. }

  153. 

  154. /**

  155.  * Verifies a given message signature pair under a given public key.

  156.  * Note that this assumes a pk without an OID, i.e. [root || PUB_SEED]

  157.  */

  158. int xmss_core_sign_open(const xmss_params *params,

  159.                         unsigned char *m, unsigned long long *mlen,

  160.                         const unsigned char *sm, unsigned long long smlen,

  161.                         const unsigned char *pk)

  162. {

  163.     unsigned long long i;

  164.     unsigned long idx = 0;

  165.     unsigned char wots_pk[params->wots_keysize];

  166.     unsigned char pkhash[params->n];

  167.     unsigned char root[params->n];

  168.     unsigned char msg_h[params->n];

  169.     unsigned char hash_key[3*params->n];

  170. 

  171.     unsigned char pub_seed[params->n];

  172.     memcpy(pub_seed, pk + params->n, params->n);

  173. 

  174.     uint32_t ots_addr[8] = {0};

  175.     uint32_t ltree_addr[8] = {0};

  176.     uint32_t node_addr[8] = {0};

  177. 

  178.     set_type(ots_addr, 0);

  179.     set_type(ltree_addr, 1);

  180.     set_type(node_addr, 2);

  181. 

  182.     *mlen = smlen - params->bytes;

  183. 

  184.     /* Convert the index bytes from the signature to an integer. */

  185.     for (i = 0; i < params->index_len; i++) {

  186.         idx |= ((unsigned long long)sm[i]) << (8*(params->index_len - 1 - i));

  187.     }

  188. 

  189.     /* Prepare the hash key, of the form [R || root || idx]. */

  190.     memcpy(hash_key, sm + params->index_len, params->n);

  191.     memcpy(hash_key + params->n, pk, params->n);

  192.     ull_to_bytes(hash_key + 2*params->n, params->n, idx);

  193. 

  194.     /* Compute the message hash. */

  195.     h_msg(params, msg_h, sm + params->bytes, *mlen, hash_key, 3*params->n);

  196.     sm += params->index_len + params->n;

  197. 

  198.     /* The WOTS public key is only correct if the signature was correct. */

  199.     set_ots_addr(ots_addr, idx);

  200.     wots_pk_from_sig(params, wots_pk, sm, msg_h, pub_seed, ots_addr);

  201.     sm += params->wots_keysize;

  202. 

  203.     /* Compute the leaf node using the WOTS public key. */

  204.     set_ltree_addr(ltree_addr, idx);

  205.     l_tree(params, pkhash, wots_pk, pub_seed, ltree_addr);

  206. 

  207.     /* Compute the root node. */

  208.     validate_authpath(params, root, pkhash, idx, sm, pub_seed, node_addr);

  209.     sm += params->tree_height*params->n;

  210. 

  211.     /* Check if the root node equals the root node in the public key. */

  212.     for (i = 0; i < params->n; i++) {

  213.         if (root[i] != pk[i]) {

  214.             for (i = 0; i < *mlen; i++) {

  215.                 m[i] = 0;

  216.             }

  217.             *mlen = -1;

  218.             return -1;

  219.         }

  220.     }

  221. 

  222.     /* If verification was successful, copy the message from the signature. */

  223.     for (i = 0; i < *mlen; i++) {

  224.         m[i] = sm[i];

  225.     }

  226. 

  227.     return 0;

  228. }

  229. 

  230. /**

  231.  * Verifies a given message signature pair under a given public key.

  232.  * Note that this assumes a pk without an OID, i.e. [root || PUB_SEED]

  233.  */

  234. int xmssmt_core_sign_open(const xmss_params *params,

  235.                           unsigned char *m, unsigned long long *mlen,

  236.                           const unsigned char *sm, unsigned long long smlen,

  237.                           const unsigned char *pk)

  238. {

  239.     uint32_t idx_leaf;

  240.     unsigned long long i;

  241.     unsigned long long idx = 0;

  242.     unsigned char wots_pk[params->wots_keysize];

  243.     unsigned char pkhash[params->n];

  244.     unsigned char root[params->n];

  245.     unsigned char *msg_h = root;

  246.     unsigned char hash_key[3*params->n];

  247.     const unsigned char *pub_seed = pk + params->n;

  248. 

  249.     uint32_t ots_addr[8] = {0};

  250.     uint32_t ltree_addr[8] = {0};

  251.     uint32_t node_addr[8] = {0};

  252. 

  253.     set_type(ots_addr, 0);

  254.     set_type(ltree_addr, 1);

  255.     set_type(node_addr, 2);

  256. 

  257.     *mlen = smlen - params->bytes;

  258. 

  259.     /* Convert the index bytes from the signature to an integer. */

  260.     for (i = 0; i < params->index_len; i++) {

  261.         idx |= ((unsigned long long)sm[i]) << (8*(params->index_len - 1 - i));

  262.     }

  263. 

  264.     /* Prepare the hash key, of the form [R || root || idx]. */

  265.     memcpy(hash_key, sm + params->index_len, params->n);

  266.     memcpy(hash_key + params->n, pk, params->n);

  267.     ull_to_bytes(hash_key + 2*params->n, params->n, idx);

  268. 

  269.     /* Compute the message hash. */

  270.     h_msg(params, msg_h, sm + params->bytes, *mlen, hash_key, 3*params->n);

  271.     sm += params->index_len + params->n;

  272. 

  273.     /* For each subtree.. */

  274.     for (i = 0; i < params->d; i++) {

  275.         idx_leaf = (idx & ((1 << params->tree_height)-1));

  276.         idx = idx >> params->tree_height;

  277. 

  278.         set_layer_addr(ots_addr, i);

  279.         set_layer_addr(ltree_addr, i);

  280.         set_layer_addr(node_addr, i);

  281. 

  282.         set_tree_addr(ltree_addr, idx);

  283.         set_tree_addr(ots_addr, idx);

  284.         set_tree_addr(node_addr, idx);

  285. 

  286.         /* The WOTS public key is only correct if the signature was correct. */

  287.         set_ots_addr(ots_addr, idx_leaf);

  288.         /* Initially, root = msg_h, but on subsequent iterations it is the root

  289.            of the subtree below the currently processed subtree. */

  290.         wots_pk_from_sig(params, wots_pk, sm, root, pub_seed, ots_addr);

  291.         sm += params->wots_keysize;

  292. 

  293.         /* Compute the leaf node using the WOTS public key. */

  294.         set_ltree_addr(ltree_addr, idx_leaf);

  295.         l_tree(params, pkhash, wots_pk, pub_seed, ltree_addr);

  296. 

  297.         /* Compute the root node of this subtree. */

  298.         validate_authpath(params, root, pkhash, idx_leaf, sm, pub_seed, node_addr);

  299.         sm += params->tree_height*params->n;

  300.     }

  301. 

  302.     /* Check if the final root node equals the root node in the public key. */

  303.     for (i = 0; i < params->n; i++) {

  304.         if (root[i] != pk[i]) {

  305.             for (i = 0; i < *mlen; i++) {

  306.                 m[i] = 0;

  307.             }

  308.             *mlen = -1;

  309.             return -1;

  310.         }

  311.     }

  312. 

  313.     /* If verification was successful, copy the message from the signature. */

  314.     for (i = 0; i < *mlen; i++) {

  315.         m[i] = sm[i];

  316.     }

  317. 

  318.     return 0;

  319. }